Symbolically Computing Most-Precise Abstract Operations for Shape Analysis Greta Yorsh Thomas Reps Mooly Sagiv Tel Aviv University University of Wisconsin TACAS’04 Tel Aviv University

April 2004 Symbolically computing most-precise abstract operations for shape analysis - TACAS'04 2 Motivation New approach to using symbolic techniques in abstract interpretation New approach to using symbolic techniques in abstract interpretation –for shape analysis –for other analyses What does it mean to harness a decision procedure for use in static analysis? What does it mean to harness a decision procedure for use in static analysis? –what are the requirements ? –what does it buy us ?

April 2004 Symbolically computing most-precise abstract operations for shape analysis - TACAS'04 3 What are the requirements ? Formulas S ∈  (a) ⇔ S ⊧  (a) ^ AbstractConcrete a  ^  Is  (a) empty? Is  (a) satisfiable? ^ ⇔   (a)

April 2004 Symbolically computing most-precise abstract operations for shape analysis - TACAS'04 4 What does it buy us ? Guarantee the most-precise result w.r.t. to the abstraction Guarantee the most-precise result w.r.t. to the abstraction –best transformer –other abstract operations Modular reasoning Modular reasoning –assume-guarantee reasoning –scalability

April 2004 Symbolically computing most-precise abstract operations for shape analysis - TACAS'04 5 Assume-Guarantee Reasoning T bar(); void foo() { T p;... p = bar();... } {pre bar, post bar } {pre foo, post foo } assume[pre foo ]; assert[pre bar ]; assume[post bar ]; assert[post foo ]; ^ Is  (a) ⇒  valid? assert[  ](a) assume[  ](a) <⊤><⊤> ?

April 2004 Symbolically computing most-precise abstract operations for shape analysis - TACAS'04 6 AbstractConcrete The assume[  ](a) Operation The assume[  ](a) Operation a   =  (  (a)    ) Formulas   (a)  ^ X (a)(a)   ^  (  (a)  ) ^ ^ assume[  ](a) X

April 2004 Symbolically computing most-precise abstract operations for shape analysis - TACAS'04 7 Formulas AbstractConcrete The abstraction operation  (  ) ^   ^ a1a1 a2a2   

April 2004 Symbolically computing most-precise abstract operations for shape analysis - TACAS'04 8 Formulas AbstractConcrete The idea behind  (  )  ^ ^ ans   ⊤ a1a1

April 2004 Symbolically computing most-precise abstract operations for shape analysis - TACAS'04 9 Reminder of the talk Shape analysis Shape analysis –Canonical abstraction Algorithm for abstraction  - example Algorithm for abstraction  - example Abstract operations using  Abstract operations using  Further work Further work ^ ^

April 2004 Symbolically computing most-precise abstract operations for shape analysis - TACAS'04 10 Shape Analysis Static program analysis Static program analysis Determine “shape invariants” Determine “shape invariants” –all possible memory configurations Can be used to Can be used to –Verify programs (partially) –Detect memory errors –Prove properties about dynamically allocated data –Detect logical errors –Code optimizations

April 2004 Symbolically computing most-precise abstract operations for shape analysis - TACAS'04 11 Why is Shape Analysis Difficult? Destructive updating through pointers Destructive updating through pointers –p  next = q –Produces complicated aliasing relationships Dynamic memory allocation Dynamic memory allocation –No bound on the size of run-time data structures Abstract domain of 3-valued structures with canonical abstraction [Sagiv,Reps,Wilhelm] Abstract domain of 3-valued structures with canonical abstraction [Sagiv,Reps,Wilhelm]

April 2004 Symbolically computing most-precise abstract operations for shape analysis - TACAS' Valued Logical Structures Relation meaning over {0, 1, ½} Relation meaning over {0, 1, ½} Kleene Kleene – 1: True – 0: False – ½ : Unknown A join semi-lattice: 0 ⊔ 1 = ½ A join semi-lattice: 0 ⊔ 1 = ½   ½

April 2004 Symbolically computing most-precise abstract operations for shape analysis - TACAS'04 13 Canonical Abstraction x u1u1 u2u2 u3u3 u4u4 c,r x x u1u1 u2u2 x ∃ v 1,v 2 :node u1 (v 1 ) ⋀ node u2 (v 2 ) ⋀∀ w: node u1 (w) ⋁ node u2 (w) ⋀ ∀ w 1,w 2 :node u1 (w 1 ) ⋀ node u1 (w 2 ) ⇒ (w 1 =w 2 ) ⋀⌝ n(w 1,w 2 ) ⋀∀ v:r x (v) ⇔∃ v1: x(v1) ⋀ n*(v1,v) ⋀∀ v:c(v) ⇔∃ v1:n(v,v1) ⋀ n*(v1,v) ⋀∀ v1,v2:x(v1) ⋀ x(v2) ⇒ v1=v2 ⋀ ∀ v,v1,v2:n(v,v1) ⋀ n(v,v2) ⇒ v1=v2 FO TC  (a) ≜ ^

April 2004 Symbolically computing most-precise abstract operations for shape analysis - TACAS'04 14  Example of  (  ) : ^ y == x->n Formulas Concrete  ⊤ ans  ≜ ∀ v 1 :y(v 1 ) ↔ ∃ v 2 : x(v 2 ) ⋀ n(v 2, v 1 ) Abstract x u1u1 u2u2 yy x u1u1 uyuy y x u1u1 u2u2 uyuy y x (()(() ^

April 2004 Symbolically computing most-precise abstract operations for shape analysis - TACAS'04 15 Example - Materialization x u1u1 u2u2 yy x u1u1 u2u2 y y y(u 2 )=0 materialization u 2  u y, u 2 y(u y ) = 1, y(u 2 ) =0 u2u2 x u1u1 uyuy y y y y(u 2 )=1 x u1u1 u2u2 y y  Is  (a)   satisfiable ? ^ y == x->n

April 2004 Symbolically computing most-precise abstract operations for shape analysis - TACAS'04 16 Example – Refinement x u1u1 uyuy y u2u2 n(u y,u 2 ) = 0 u1u1 uyuy y u2u2 x n(u y,u 2 ) = 1 u1u1 uyuy y u2u2 x u1u1 uyuy y u2u2 x n(u y,u 2 ) = ½ ∀ concrete stores ∃ two pairs of nodes n(a 1, a 2 ) = 1 and n(b 1, b 2 ) = 0 ∀ concrete stores ∀ pair of nodes n(a 1, a 2 ) = 1 or n(a 1, a 2 ) = 0 y == x->n Is  (a)   satisfiable ? ^

April 2004 Symbolically computing most-precise abstract operations for shape analysis - TACAS'04 17 Abstract Operations  (  ) – best abstract value that represents  What does it buy us ? assume[  ](a) =  (  (a) ⋀  ) – –assume-guarantee reasoning – –pre- and post-conditions specified by logical formulas BT(t,a) =  (  ( extend (a)) ⋀ t ) – –best abstract transformer – –parametric abstractions meet(a 1, a 2 ) =  (  (a 1 ) ⋀  (a 2 ) ) ^ ^^ ^ ^ ^ ^ ^ ^

April 2004 Symbolically computing most-precise abstract operations for shape analysis - TACAS'04 18 SPASS Experience Handles arbitrary FO formulas Handles arbitrary FO formulas Can diverge Can diverge –use timeout Converges in our examples Converges in our examples –Captures older shape analysis algorithms How to handle FO TC ? How to handle FO TC ? –Overapproximations lead to too many structures

April 2004 Symbolically computing most-precise abstract operations for shape analysis - TACAS'04 19 Decidable Transitive-closure Logic Neil Immerman (UMASS), Alexander Rabinovich (TAU) Neil Immerman (UMASS), Alexander Rabinovich (TAU) ∃∀ (TC,f) is subset of FO TC ∃∀ (TC,f) is subset of FO TC –exist-forall form –arbitrary unary relations –single function f Decidable for satisfiability Decidable for satisfiability –NEXPTIME-complete Any “reasonable” extension is undecidable Any “reasonable” extension is undecidable Rather limited Rather limited

April 2004 Symbolically computing most-precise abstract operations for shape analysis - TACAS'04 20 Simulation Technique – CAV’04 Neil Immerman (UMASS), Alexander Rabinovich (TAU) Neil Immerman (UMASS), Alexander Rabinovich (TAU) Simulate realistic data structures using decidable logic over tractable structures Simulate realistic data structures using decidable logic over tractable structures –Singly linked list - shared/cyclic/nested –Doubly linked list –Trees Preserved under mutations Preserved under mutations Abstract interpretation, Hoare-style verification Abstract interpretation, Hoare-style verification

April 2004 Symbolically computing most-precise abstract operations for shape analysis - TACAS'04 21 Further Work Implementation Implementation Decidable logic for shape analysis Decidable logic for shape analysis Assume-guarantee of “real” programs Assume-guarantee of “real” programs –case study: Java Collection –specification language –write procedure specifications Extend to other domains Extend to other domains –Infinite-height gretay